Go to page

Registered

I'm looking for some advice on risk benefit analysis (RBA). In particular the 14971:2012 requirements.

Currently we only perform RBAs for individual risks that have the highest severity, regardless of final RPN. This is a severity of 10 in our 1-10 scoring where harm to the user starts at 6. Currently no one really knows what a best practice method of writing an RBA looks like. They usually end up being a few paragraphs explaining the risk and why its no problem.

I'm aware that within the 2012 version there is a requirement for RBA's for individual risks and an overall RBA.

I've been doing lots of background reading where it is suggested the overall RBA and individual RBA be linked to the clinical evaluation. Would this take the form of a bridging document referencing the risks from the RMF and where they are assessed in the clinical evaluation. With the overall risk benefit analysis being performed which is reviewed by a clinician.

Any advice, guidance or personal experience would be more than welcome.
Thanks
Will.

Addicted to standards

What does exist is that the annexes to the EN 2012 version mention this as one of the usually crazy deviations.

In fact, it does not make sense to perform a risk/benefit analysis for individual risks (which is the reason no one knows what do to - no one has ever done this before for any implementation of risk management that I know).

What it does make sense is to always perform a risk/benefit analysis for the aggregate risks (overall). In fact, this is one of the proposed changes in the new revision of ISO 14971.

Problem Solver

The way I understand things, no bridging document is required because the Clinical Evaluation needs to address residual risks anyway. The Clnical Evaluation and Risk Management processes are supposed to feed each other, on a continuous basis (ie, if one's output changes, the other needs to be updated).

What does exist is that the annexes to the EN 2012 version mention this as one of the usually crazy deviations.

In fact, it does not make sense to perform a risk/benefit analysis for individual risks (which is the reason no one knows what do to - no one has ever done this before for any implementation of risk management that I know).

Yet we STILL have to do it to provide a risk file that will be acceptable to the technical file reviewer!

What I have done (and I'm hoping this opens the discussion more) is, for each risk in my table, make the assertion that the company has reviewed the (individual) residual risk against the benefits and concluded that the benefits outweigh the risks. I realize that's mostly hand-waving but it's been acceptable so far.

Further, though, I *do* essentially bridge the assessment with clinical evaluation / actual use info in the risk management report. I state (in the report) that ongoing field use has demonstrated that the benefits are confirmed to outweigh the residual risk, both individually and in aggregate.

Again, I don't know if there's a better way but I had to do something and this has been working so far. I'd welcome a discussion of other approaches, flaws with this approach, etc.

Involved In Discussions

Risk/benefit analysis is introduced to risk analysis by ISO/TR 24971:2013. Since there isn't any statistical data best way to close each individual residual risk is risk/benefit analysis. Since most of medical device manufacturers don't care anything they are reducing all risks to acceptable level, people are insisting risk/benefit analysis to each residual risk.

Registered

Thanks for the welcome and the input. Lots of great stuff to think about.

The way I currently see/understand the requirements surrounding RBAs is similar to how Ronen E. describes. The clinical evaluation covers all the residual risks in making an overall risk benefit analysis decision.

The clinical evaluation references the risks in the RMF and the RMF references where the RBA decision is made for each risk. Essentially both documents will contain a section pointing at the other. I believe in this way both requirements (individual and overall RBA) can be met.

Just so we're on the same page, when I say risk I mean failure effect rather than failure mode.

Addicted to standards

The way I understand things, no bridging document is required because the Clinical Evaluation needs to address residual risks anyway. The Clnical Evaluation and Risk Management processes are supposed to feed each other, on a continuous basis (ie, if one's output changes, the other needs to be updated).